Chrome 57

Credentials can be shared from a different subdomain

Chrome can now retrieve a credential stored in a different subdomain using the
Credential Management API.
For example, if a password is stored in login.example.com,
a script on www.example.com can show it as one of account items in account chooser dialog.

You must explicitly store the password using navigator.credentials.store(),
so that when a user chooses a credential by tapping on the dialog,
the password gets passed and copied to the current origin.

Once it's stored, the password is available as a credential
in the exact same origin www.example.com onward.

In the following screenshot, credential information stored under login.aliexpress.com
is visible to m.aliexpress.com and available for the user to choose from:

Coming soon:
Sharing credentials between totally different domains is in development.

Feature detection needs attention

To see if the Credential Management API for accessing password-based and
federated credentials is available, check if window.PasswordCredential or
window.FederatedCredential is available.

if (window.PasswordCredential || window.FederatedCredential) {
// The Credential Management API is available
}

Warning: Feature detection by checking navigator.credentials may break your
website on browsers supporting
WebAuthn(PublicKeyCredential) but not all
credential types (PasswordCredential and FederatedCredential) defined by the
Credential Management API. Learn
more.

PasswordCredential object now includes password

The Credential Management API took a conservative approach to handling passwords.
It concealed passwords from JavaScript, requiring developers
to send the PasswordCredential object directly to their server
for validation via an extension to the fetch() API.

But this approach introduced a number of restrictions.
We received feedback that developers could not use the API because:

They had to send the password as part of a JSON object.

They had to send the hash value of the password to their server.

After performing a security analysis and recognizing that concealing passwords
from JavaScript did not prevent all attack vectors as effectively as we were hoping,
we have decided to make a change.

The Credential Management API now includes a raw password
in a returned credential object so you have access to it as plain text.
You can use existing methods to deliver credential information to your server:

requireUserMediation() renamed to preventSilentAccess()

To align nicely with the new mediation property offered in the get() call,
the navigator.credentials.requireUserMediation() method has been renamed to
navigator.credentials.preventSilentAccess().

The renamed method prevents passing a credential without showing the account chooser
(sometimes called without user mediation).
This is useful when a user signs out of a website or unregisters
from one and doesn't want to get signed back in automatically at the next visit.